eu.europa.esig.dss.validation.CAdESCertificateSource.java Source code

Java tutorial

  1. HOME
  2. Java
  3. eu.europa.esig.dss.validation.CAdESCertificateSource.java

Introduction

Here is the source code for eu.europa.esig.dss.validation.CAdESCertificateSource.java

Source

/**
 * DSS - Digital Signature Services
 * Copyright (C) 2015 European Commission, provided under the CEF programme
 *
 * This file is part of the "DSS - Digital Signature Services" project.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */
package eu.europa.esig.dss.validation;

import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.jce.provider.X509CertificateObject;
import org.bouncycastle.tsp.TimeStampToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import eu.europa.esig.dss.DSSASN1Utils;
import eu.europa.esig.dss.DSSException;
import eu.europa.esig.dss.x509.CertificatePool;
import eu.europa.esig.dss.x509.CertificateToken;
import eu.europa.esig.dss.x509.SignatureCertificateSource;

/**
 * CertificateSource that retrieves items from a CAdES Signature
 */
public class CAdESCertificateSource extends SignatureCertificateSource {

    private static final Logger logger = LoggerFactory.getLogger(CAdESCertificateSource.class);

    final private CMSSignedData cmsSignedData;
    final SignerInformation signerInformation;

    private List<CertificateToken> keyInfoCerts;
    private List<CertificateToken> encapsulatedCerts;

    public CAdESCertificateSource(final TimeStampToken timeStamp, final CertificatePool certPool) {
        this(timeStamp.toCMSSignedData(),
                (timeStamp.toCMSSignedData().getSignerInfos().getSigners().iterator().next()), certPool);
    }

    /**
     * The constructor with additional signer id parameter. All certificates are extracted during instantiation.
     *
     * @param cmsSignedData
     * @param signerInformation
     * @param certPool
     */
    public CAdESCertificateSource(final CMSSignedData cmsSignedData, final SignerInformation signerInformation,
            final CertificatePool certPool) {
        super(certPool);
        if (cmsSignedData == null) {
            throw new DSSException("CMS SignedData is null, it must be provided!");
        }
        this.cmsSignedData = cmsSignedData;
        this.signerInformation = signerInformation;
        if (certificateTokens == null) {
            certificateTokens = new ArrayList<CertificateToken>();
            keyInfoCerts = extractIdSignedDataCertificates();
            encapsulatedCerts = extractEncapsulatedCertificates();
        }
    }

    /**
     * Returns the list of certificates included in (XAdES equivalent)
     * ".../xades:UnsignedSignatureProperties/xades:CertificateValues/xades:EncapsulatedX509Certificate" node
     *
     * @return list of X509Certificate(s)
     */
    @Override
    public List<CertificateToken> getEncapsulatedCertificates() {
        return encapsulatedCerts;
    }

    private List<CertificateToken> extractEncapsulatedCertificates() {
        final List<CertificateToken> encapsulatedCerts = new ArrayList<CertificateToken>();
        // Gets certificates from CAdES-XL certificate-values inside SignerInfo attribute if present
        if ((signerInformation != null) && (signerInformation.getUnsignedAttributes() != null)) {
            extractCertificateFromUnsignedAttribute(encapsulatedCerts, PKCSObjectIdentifiers.id_aa_ets_certValues);
            extractCertificateFromUnsignedAttribute(encapsulatedCerts,
                    PKCSObjectIdentifiers.id_aa_ets_certificateRefs);
        }
        return encapsulatedCerts;
    }

    private void extractCertificateFromUnsignedAttribute(List<CertificateToken> encapsulatedCerts,
            ASN1ObjectIdentifier oid) {
        final Attribute attribute = signerInformation.getUnsignedAttributes().get(oid);
        if (attribute != null) {
            final ASN1Sequence seq = (ASN1Sequence) attribute.getAttrValues().getObjectAt(0);
            for (int ii = 0; ii < seq.size(); ii++) {
                try {
                    final Certificate cs = Certificate.getInstance(seq.getObjectAt(ii));
                    final X509Certificate cert = new X509CertificateObject(cs);
                    final CertificateToken certToken = addCertificate(new CertificateToken(cert));
                    if (!encapsulatedCerts.contains(certToken)) {
                        encapsulatedCerts.add(certToken);
                    }
                } catch (Exception e) {
                    logger.warn("Unable to parse encapsulated certificate : " + e.getMessage());
                }
            }
        }
    }

    /**
     * Returns the list of certificates included in CAdES equivalent of XAdES "ds:KeyInfo/ds:X509Data/ds:X509Certificate" node.
     * <p/>
     * They are extracted from id-signedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 2 }
     * <p/>
     * SignedData ::= SEQUENCE {<br>
     * - version CMSVersion,<br>
     * - digestAlgorithms DigestAlgorithmIdentifiers,<br>
     * - encapContentInfo EncapsulatedContentInfo,<br>
     * - {@code certificates} [0] IMPLICIT CertificateSet OPTIONAL,<br>
     * - crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,<br>
     * - signerInfos SignerInfos<br>
     * }<br>
     *
     * @return list of X509Certificate(s)
     */
    @Override
    public List<CertificateToken> getKeyInfoCertificates() {
        return keyInfoCerts;
    }

    @SuppressWarnings("unchecked")
    private List<CertificateToken> extractIdSignedDataCertificates() {
        final List<CertificateToken> essCertIDCerts = new ArrayList<CertificateToken>();
        try {
            final Collection<X509CertificateHolder> x509CertificateHolders = cmsSignedData.getCertificates()
                    .getMatches(null);
            for (final X509CertificateHolder x509CertificateHolder : x509CertificateHolders) {
                final CertificateToken x509Certificate = DSSASN1Utils.getCertificate(x509CertificateHolder);
                final CertificateToken certificateToken = addCertificate(x509Certificate);
                if (!essCertIDCerts.contains(certificateToken)) {
                    essCertIDCerts.add(certificateToken);
                }
            }
        } catch (Exception e) {
            logger.warn("Cannot extract certificates from CMS Signed Data : " + e.getMessage());
        }
        return essCertIDCerts;
    }
}